Compliance
Security
Greenlight is built to slot into the compliance frameworks customer organizations already operate under. The platform’s job is to make the evidence trail trivial to assemble; the certifications themselves belong to the operating organization, since Greenlight runs entirely in the customer’s cloud and the customer is in control of the data.
What Greenlight gives you for evidence
The structured audit log is the spine of the evidence story. Today, Greenlight records the events needed to support customer-led compliance reviews:
| Control area | Evidence Greenlight produces |
|---|---|
| Access control | Role assignments and revocations, with the IdP group mapping that produced them. |
| Change management | Every PR, every policy-check result, every override with reason and reviewer. |
| Data access | Per-call records for every integration call, including bound user, app, upstream, and response code. |
| Configuration management | Every policy bundle change, every integration registration, every secret rotation. |
| Incident response | Every kill, restore, and override event, with timestamps and actor identities. |
Full audit search, export, SIEM forwarding, WORM storage, and HMAC signing are coming soon. Until those ship, Greenlight’s compliance value is the durable audit trail it writes inside the customer’s installation.
Framework status
| Framework | Status |
|---|---|
| SOC 2 Type 2 | Current evidence model; formal customer-facing packet coming soon |
| HIPAA | Requires planned tamper-evident audit storage before production use |
| ISO 27001 | Coming soon |
| PCI-DSS | Not in scope |
The current evidence model can support SOC 2-style change-management, access-review, and privileged-action evidence. It is not a certification claim. Customers that require HIPAA, NIS2, DORA, ISO 27001, or other tamper-evident immutable retention should wait for the planned tamper-evident audit storage.
What the customer is responsible for
Because Greenlight runs inside the customer’s cloud and uses the customer’s IdP, the customer organization is the controller in the data-protection sense. They retain responsibility for:
- The cloud subscription’s security posture (account-level MFA, root-account hygiene, IAM).
- The IdP’s security posture (SSO configuration, MFA enforcement, conditional access).
- The integrations they choose to grant and the credentials they provide for them.
- The retention posture and evidence collection process for the audit log.
- End-user data handling — Greenlight does not see or process data passing through the data broker, beyond the metadata captured in audit.
This division is the same as any in-cloud platform: the cloud provider is responsible for the substrate; the customer is responsible for what they build on top of it. Greenlight sits in the customer’s column.
Coming soon
Mapped compliance packets, formal control matrices, and auditor-facing export workflows are coming soon. Contact early-access@greenlightbyshift.com for the current security review packet.